iOS users have begun receiving a prompt from Apple asking for answers to …

Apple has begun to ask iOS device owners for the answers to security questions as part of an effort to beef up Apple ID security. iPhone users began widely reporting the change on Thursday, though the changes actually began happening sometime in the last 24 hours. Not all iOS users have seen the request pop up yet, however, leaving some confused about whether the prompt is legitimately from Apple.

The prompt that shows up on an iOS device says "Security Info Required." It proceeds to ask the user to select from a handful of security questions and provide answers. If the user has not yet provided a backup e-mail address to Apple for his or her Apple ID, Apple requests that as well, and then prompts the user to verify it using a link to Apple's website. In addition to the prompt on the iOS device, some have reported (via Apple's discussion boards) that they are being asked the same questions via iTunes on the computer.

This is undoubtedly meant to help combat the growing number of phishing attempts on people's Apple ID and iTunes accounts. Reports from iTunes users about unauthorized charges have been trickling in for years at this point, and Apple's support team is likely getting inundated with requests for help. In fact it's almost ironic that some users are suspicious of the prompt and believe it to be a phishing attempt. We were able to confirm that the prompt is indeed legit. (Still, it's always better to be safe than sorry!)

33 Reader Comments

Considering that security questions are often enough the weakest link in security (well you can follow Schneier's advice but that basically leads the whole concept ad absurdum), enforcing them even more doesn't seem like such a brilliant idea..

Considering that security questions are often enough the weakest link in security (well you can follow Schneier's advice but that basically leads the whole concept ad absurdum), enforcing them even more doesn't seem like such a brilliant idea..

+1. Way easier to guess security questions than actually figure out someone's password, this is more like security theater.

Goddammit. I hate security questions with a passion. Either they are secure by filling them with bogus, but rendering it impossible to retrieve a password or they're incredibly insecure by filling them in truthfully.

I've always just picked a different person in my family and answered as that person. As long as I'm consistent, I'm good to go, and I defy anyone to figure out the answers for someone who died more than 10 years ago (and therefore has no online presence) who might or might not be the person I'm answering as.

Yeah, they aren't great, and people suck at using them, but this is a pretty easy thing to make work.

I do wonder why Apple doesn't use a two-factor system though, given the simplicity and that everyone would be on registered machines (so having the security token there shouldn't be a problem).

Goddammit. I hate security questions with a passion. Either they are secure by filling them with bogus, but rendering it impossible to retrieve a password or they're incredibly insecure by filling them in truthfully.

I use bogus answers, and keep the question/answer pairs recorded in 1Password right alongside the ID/password

Typically my bogus answers end up being a rather snarky sentence when concatenated, if a service asks me for multiple "security" questions.

Yeah, they aren't great, and people suck at using them, but this is a pretty easy thing to make work.

Sure, but now you've got to remember the person and the arbitrary thing you used - and then what's the difference to a password anymore? It's just another password to remember for the same site - which makes it even more likely that people will reuse it.

Sure lots of people here on ars will know how (and why!) to cheat them, but I'm pretty sure the vast majority of users won't (and we have some proof for that considering the number of celebrity accounts that were hacked due to security questions).

lake393 wrote:

Wish-it-were-two-factor-authentication at its best

I'll shamelessly steal that phrase from now on (but I hope nobody at apple thinks of this as two-factor auth, oh god please)

Security questions are so retarded. God damn it Apple. Security questions make security worse, not better. It sucks enough when banks do it (and then only allow alphanumeric passcodes dohoho) let alone anyone else.

Yeah lol, It's from The Daily WTF (.com). I edited my post with the link. Sry it took a long time; I'm on an iPhone

I didn't remember that particular TDWTF post, so I wasn't accusing you of anything (only telling you I'd be doing exactly the same thing - it's just a too great phrase not to use). But the link now makes your post even better

My wife had this popup last night and I immediately thought it was a phishing attempt, even though she was in-app purchasing via Hipstermatic... I guess I just don't trust any requests for security questions outside self initiated or top level (apple.com/itunes desktop) requests.

After some Googling I figured out it was legit and the world continued.

The security question is not in lieu of your password it is in addition to. How is this making security worse?

It makes it worse because on a mobile device its nearly impossible copy pasta from a special txt file of long random "answers" to the personal questions. Therefore most people pretty much have no choice but to use easy-to-remember answers (read true answers) which is a huge vulnerability because everyone on Facebook knows your dog's name is Coco.

Maybe they should call Microsoft and ask them for advice on securing an login system. currently google is the only one with an 2 factor option but to get around the amount of apps using an locked login prompt for google account login the work around is one time passwords for devices like cellphones especially android phones and chrome os devices.

The security question is not in lieu of your password it is in addition to. How is this making security worse?

Read the above WTF link for starters. In short though, adding worthless complexity onto a single factor of authentication is always detrimental. Fundamentally, authentication involves supplying one or more factors that only the proper person should possess. There are only a few distinct categories for these, commonly listed as: "something you know", "something you have", "something you are". In the case of each of these factors, one wants to absolute maximum combination of both security and convenience. Combining multiple factors is a very strong way to increase those, showing non-linear gains if handled correctly.

But simply adding "more" to a single factor is worse then useless. A "security question" is still just "something you know", which means that basically now the system wants two passwords instead of one. Good convenient passwords tend to be somewhat tricky to remember. It's best to have a single very good password and be careful about distributing it (use it in a meta authentication scheme) and/or change it from time to time. 2 weak passwords are vastly worse then a single good password while also being more difficult to remember, even more so if it's a password you're only asked for once in a blue moon. The very nature of a "password and another-uncommonly-used-password" system strongly encourages people to either use weak, easy to remember passwords, or to use strong strings and then write them down or store them in a password manager, adding irritation, complexity and time for absolutely zero gain whatsoever.

The security question is not in lieu of your password it is in addition to. How is this making security worse?

It makes it worse because on a mobile device its nearly impossible copy pasta from a special txt file of long random "answers" to the personal questions. Therefore most people pretty much have no choice but to use easy-to-remember answers (read true answers) which is a huge vulnerability because everyone on Facebook knows your dog's name is Coco.

And speaking of yet more actual important things Apple could do for security, adding support for integration of password managers into iOS would be high up on the list.

Hagen wrote:The security question is not in lieu of your password it is in addition to. How is this making security worse?

The security questions are used when you can't remember your password, or when your password has been overwritten by Apple due to too many incorrect attempts. You go to iforgot.apple.com and reset your password one of two ways, by email or answering the security questions.

Hagen wrote:The security question is not in lieu of your password it is in addition to. How is this making security worse?

The security questions are used when you can't remember your password, or when your password has been overwritten by Apple due to too many incorrect attempts. You go to iforgot.apple.com and reset your password one of two ways, by email or answering the security questions.

...and, by extension, if I can figure out that minnmass's Apple ID is minnmass (which is by no means unlikely), and I've forum-stalked him enough to know that his dog's name is Coco and he was born in Timbuktu, then I have a pretty decent shot of hijacking his Apple account and buying hundreds of dollars worth of iTunes Music and videos. I can go to iforgot.appple.com and tell them that I've forgotten "my" password, and would you please reset it, as clearly I am the person I claim to be because I know his dog's name!

Hence, security is worsened.

As has been mentioned, the security question also tends to lead to weaker passwords as people believe that the questions strengthen the authentication system. So, it's a nice double-whammy.

My bank (US Bank) has the following crappy "security questions". Of course I answer them all with random, 30-character strings.What was your first employer?My resume is or has been available on several job sites. Look it up, it takes 5 minutes.

What is the closest highway to your house?My address is in my resume. You can use Google maps, can't you?

What is the city you would most like to live in?I've never mentioned to anyone where I want to live, nor posted about it online. Nosirree. It's not something you can find with a quick search at all.~

What city were you born in?Because this is so very difficult to find in public records...

What city do your grandparents live in?They are all dead, you unfeeling bastards. Also, phone books and other address registries had this info when they were alive (though both sets had divorced and moved apart, so which of the 4 addresses to chose?).

So none of them are even remotely secure if answered truthfully. I'm glad it accepts answers like "fvW,jpg8;3&(&<UL>?M3`p0!bgF-!B" otherwise anyone could access my bank account online.

My bank (US Bank) has the following crappy "security questions". Of course I answer them all with random, 30-character strings.

Wow that's ridiculous in 2012 xX (I mean the TDWTF article at least was from 2007)

Not sure if there are some Austrian/European laws wrt that, but all my banks used 2factor auth (either an sms to mobile [with smartphones that's getting less and less 2factor though] or a securely sent printout with random numbers) to authenticate transactions and stuff for years now.

The ridiculousness of these security-question scheme is only surpassed by the blind following and adoption of it by companies and websites. (This and the voice prompts in phone menus too!)

If you don't use correct answers (which you obviously shouldn't), then you now not only have to remember the password, which, with the growing number of web-accounts, is getting difficult enough as it is, you now have to also remember the fake answers to these these stupid questions which may have no relevance of any significance to your life.

Given that they're also requesting a secondary email address, I'm guessing these aren't about security per se, but making it easier for users to regain access to accounts they've been locked out of for whatever reason. Facebook and Google are quite persisitent about asking for backup contact info, for the same reason.

I agree that two-factor auth would be nice for Apple IDs, especially as they get used more widely. I've been using Facebook's SMS-based scheme for a while, should probably get around to setting up the Google one

What is the closest highway to your house?My address is in my resume. You can use Google maps, can't you?

This sort of thing is as retarded as assuming that an email address is a single unique persistent ID.Does the bank not expect its customers ever to move?Likewise for these idiot questions like "what is your favorite xxx?" --- are people not expected to ever change their tastes. Likewise for the name of your dog.

The history based questions at least don't suffer from this idiocy, but they suffer from the idiocy of assuming that we all care so much about the past that we remember the names of our first grade teacher or our first dog or whatever.

Considering that security questions are often enough the weakest link in security (well you can follow Schneier's advice but that basically leads the whole concept ad absurdum), enforcing them even more doesn't seem like such a brilliant idea..

jdale wrote:

+1. Way easier to guess security questions than actually figure out someone's password, this is more like security theater.

++These are becomming required everywhere these days. When will they wake up and realize that a number of high profile 'hacks' have been acomplished by harvesting publically avaliable information. I'm beginning to think companies that do this will need to get sued in order to make them shape up.

Bad. Why? Pre-generated security questions. I already stopped using my apple account when they locked it and refused to provide me the details about a suspected attempt at accessing my account. I was debating going back and unlocking my account but now I think I will just leave it and buy a non-iOS phone next time around.